Mailinglist Archive: opensuse (1777 mails)

< Previous Next >
Re: [opensuse] Moving to IPv6
  • From: Adam Tauno Williams <awilliam@xxxxxxxxxxxxx>
  • Date: Wed, 08 Sep 2010 17:33:42 -0400
  • Message-id: <1283981622.3782.7.camel@xxxxxxxxxxxxxxx>
On Wed, 2010-09-08 at 14:25 -0700, John Andersen wrote:
On 9/8/2010 2:03 PM, James Knott wrote:
It's time for you to find a new ISP. NAT is broken in a number of ways.
For example, it breaks some protocols and makes it impossible for
a user to reach their network from elsewhere. Also, it's possible for an
ISP to overload NAT, as each IP address has a limited number of
ports that can be remapped.
Well, in some ways, making it harder to reach your own net is not totally a
bad idea.
What you can reach, others can reach, and with a nat-less internet you
end up requiring protection in every device.

Golly - NAT IS NOT A SECURITY MEASURE! How many times does that have to
be said to sink in?

Desirable perhaps, but not practical.

Why? Firewalls are cheap and abundant. It is extremely practical and
[I hope] common practice. It is legally required in many circumstances.

Breaking some protocols, true, ftp is something that was broken from the start
and the fact that it does not work well with nat is hardly the end of the
world.

NAT is just a pain, and a pointless one.

As for impossible to reach your own net thru nat,

False.

Watch any hacker worth his salt blow right through your NAT. NAT is not
security. A firewall is security. NAT != Firewall. NAT is at best
obfuscation, and it is obfuscation both ways [it breaks apps from inside
too, and renders PKI even more difficult than it already is].
Obfuscation is not security, so throw NAT away.

NAT is nothing, ***nothing*** , but a hack for IPv4s limit address
space. That's it. Nothing else.

Just configure a firewall. Easy, done.

I suggest prior planning.


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread